Select country
Review how this page describes privacy-law coverage for your school jurisdiction.
Last reviewed: March 2026
River SIS processes personal data for school management operations including student administration, staff records, and school activities. For Singapore schools, this page summarises how our operational privacy practices align to the Personal Data Protection Act 2012 (PDPA) and the PDPC's core data protection obligations, including accountability, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, and notifiable data breach response.
| Classification | Description | Examples |
|---|---|---|
| PII | Personally identifiable information | Database records, user profile images |
| Confidential | Sensitive operational data | App configuration, environment secrets |
| Audit | Access and activity records | Database audit logs, admin activity |
| Internal | Non-personal operational data | Application logs, container images |
| Data Category | Storage | Retention | Deletion |
|---|---|---|---|
| Customer images (current) | S3 | Indefinite | Manual on request |
| Customer images (superseded) | S3 | 30 days | Automatic (S3 Lifecycle) |
| Database backups | DocumentDB | 30 days | Automatic |
| Application logs | CloudWatch | 7 days | Automatic |
| Database audit logs | CloudWatch | 90 days | Automatic |
Singapore's PDPA provides individuals with rights to request access to personal data and information about its use or disclosure, and to request correction of inaccurate data. We support verified requests through customer administrators and internal review workflows.
Singapore's PDPA is built around consent, notification, purpose limitation, and retention limitation rather than a standalone GDPR-style erasure right. We therefore review deletion or withdrawal-related requests alongside the original collection purpose, customer instructions, and retention obligations.
The PDPA requires organisations to make reasonable efforts to ensure personal data is accurate and complete where likely to be used to make decisions or disclosed to others. Administrative controls and update workflows support those obligations.
Singapore has introduced a data portability framework under the PDPA, though scope and implementation depend on the applicable data class and operational context. Where appropriate and technically feasible, we support structured export paths.
For Singapore coverage, we also focus on the transfer limitation obligation and notifiable data breach requirements. Where data is transferred outside Singapore, we aim to maintain a comparable standard of protection and apply incident-response processes that support timely assessment and notification.
Review data classification, retention settings, access permissions, and operational changes that may affect privacy risk.
Conduct least-privilege access reviews, verify key security controls, and document material changes to processing activities or vendor arrangements.
Perform a fuller review of data inventories, test data-rights handling and deletion workflows, review incident-response readiness, and update this document.
To exercise any of your data rights or for privacy-related enquiries, please contact SchoolHero.io OÜ at info@riversis.com or by post at Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, Estonia.
